Compromise Host Software Binary T1554

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Events covered

11 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (24 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type6eq 6start, creation
TargetFilename3in 2, wildcard 1*/.github/workflows/*.yaml, */.github/workflows/*.yml, */.github/workflows/discussion.yaml, */.github/workflows/discussion.yml, */.github/workflows/formatter_*.yaml
process_name3eq 3, wildcard 1agentactivationruntimestarter.exe, agentservice.exe, aggregatorhost.exe, brave.exe, brave_vpn_helper.exe
BuildProcessTime2le 2FileEditTime
EventType2eq 2FileCreated, FileModified, load
Hashes2is_not_null 1, ne 1ddc7a6c3a4b50d23daffe8e364c575fd7df9af9711b14d153b09553ddd3670a0
Image2contains 1, ne 1c:\program files (x86)\teams installer\teams.exe, c:\program files\rocketchat\rocket.chat.exe, hybridconnectionmanager
parent_process_name2eq 2CiscoCollabHost.exe, Discord.exe, Teams.exe, outlook.exe
AccessMask1eq 10X100, 0x4, 0x6
EventData1contains 1.cpp, .cs, 0x100
EventID1eq 14663, 4688
InitiatingProcessSHA2561in 10819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389, c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168
IsActive1eq 1true
ObjectName1ends_with 1.cpp, .cs
ObservableKey1contains 1file:hashes

Top indicator values (785 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
5241
BuildProcessTimele
FileEditTime
22
AccessMaskeq
0X100
1
AccessMaskeq
0x4
1
AccessMaskeq
0x6
13
EventDatacontains
.cpp
1
EventDatacontains
.cs
1
EventDatacontains
0x100
1
EventDatacontains
0x4
1
EventDatacontains
0x6
1
EventDatacontains
dotnet.exe
1
EventDatacontains
msbuild.exe
1
EventDatacontains
vbcscompiler.exe
1
EventIDeq
4663
134
EventIDeq
4688
1312
EventTypeeq
FileCreated
15
EventTypeeq
FileModified
1
EventTypeeq
load
15
Hashesne
ddc7a6c3a4b50d23daffe8e364c575fd7df9af9711b14d153b09553ddd3670a0
1
Imagecontains
hybridconnectionmanager
1
Imagene
c:\program files (x86)\teams installer\teams.exe
1
Imagene
c:\program files\rocketchat\rocket.chat.exe
1
InitiatingProcessSHA256in
0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389
1
InitiatingProcessSHA256in
c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168
1
IsActiveeq
true
16
ObjectNameends_with
.cpp
1
ObjectNameends_with
.cs
1
ObservableKeycontains
file:hashes
12
Processcontains
dotnet.exe
1
Processcontains
msbuild.exe
1

Exclusions (65 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process.code_signature.trustedeq
true
3
Imagewildcard
?:\users\*\appdata\local\google\chrome\application\chrome.exe
2
Imagewildcard
?:\users\*\appdata\local\island\island\application\island.exe
2
Imagewildcard
?:\users\*\appdata\local\mozilla firefox\firefox.exe
2
Imagewildcard
?:\windows\system32\werfault.exe
2
Imagewildcard
?:\windows\syswow64\werfault.exe
2
Imagewildcard
?:\$windows.~bt\newos\windows\system32\ie4ushowie.exe
1
Imagewildcard
?:\program files (x86)\*
1
Imagewildcard
?:\program files (x86)\*.exe
1
Imagewildcard
?:\program files (x86)\axence\nvision agent 2\nss\certutil.exe
1
Imagewildcard
?:\program files\*
1
Imagewildcard
?:\program files\*.exe
1
Imagewildcard
?:\program files\git\usr\bin\find.exe
1
Imagewildcard
?:\program files\git\usr\bin\hostname.exe
1
Imagewildcard
?:\users\*\appdata\local\microsoft\teams\current\teams.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

Elastic 7 rules

Splunk 2 rules

Kusto 4 rules